[OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-resource-metadata-10: (with DISCUSS and COMMENT)
David Waite <david@alkaline-solutions.com> Wed, 02 October 2024 21:56 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3203EC180B44; Wed, 2 Oct 2024 14:56:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.064
X-Spam-Level:
X-Spam-Status: No, score=-2.064 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06T5SNtd16cN; Wed, 2 Oct 2024 14:56:33 -0700 (PDT)
Received: from mail.alkaline-solutions.com (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2C07C180B6A; Wed, 2 Oct 2024 14:56:14 -0700 (PDT)
From: David Waite <david@alkaline-solutions.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1727906174; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Fkc8V7tRhJx6zzaNL0tirTxPo4RKJBOGrClHQBkLpqU=; b=n3HzwuSKcBd5MSTvlbXk+QsMcq6EK9F1Y3XfU3HWdrP0sprU3lQxjcwAb+feivORt5KALa fY7FFgoG1OpBoZA9K9+t3QPvgYSi4xb5plNnN5+DcvClNZ87GjXaPrgfbvwAdL25uTooAP qQDFUu+QXa63mdvvzXyg40zsKdyaOzk89jSN2PN69p5QnH3la0kD+txRhlFLMgFMv/HqHY 1x80tUTJorlgUerKJkGUffNI3AR+YB+4oi75o9HSMKraVa2wbQstHoQT644RoRaF+c5EXb i0aSlox+AKc3AS+1WNNSU3MrBA6D6lr11pIU2//+rf5cRluSLh/NI0JiBbuU2Q==
Authentication-Results: mail.alkaline-solutions.com; auth=pass smtp.mailfrom=david@alkaline-solutions.com
Message-Id: <61A5574D-3571-42A5-8E56-C735365DABFB@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_01FD4989-11B8-4450-9125-16241B4E510A"
Mime-Version: 1.0
Date: Wed, 02 Oct 2024 15:56:01 -0600
In-Reply-To: <CAN8C-_+VZNzZqsGDRXZ7_37wfu_JDQ4-Q63NpnWLV9Zi0jdYtw@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
References: <172780986106.795146.3754827883737941273@dt-datatracker-7bbd96684-zjf54> <PH0PR02MB7430C2C8DC6289BA1DAA520AB7772@PH0PR02MB7430.namprd02.prod.outlook.com> <PH0PR02MB7430B4D44B362D6EC95BE6B5B7702@PH0PR02MB7430.namprd02.prod.outlook.com> <CAN8C-_+Sb0upN1Qq0mKWeAeLj0tiJuqMcnVA10h83RyLquxZYA@mail.gmail.com> <A4755690-5B8E-4D25-AE34-3DE1AB4C3538@alkaline-solutions.com> <CAN8C-_+VZNzZqsGDRXZ7_37wfu_JDQ4-Q63NpnWLV9Zi0jdYtw@mail.gmail.com>
X-Spamd-Bar: /
Message-ID-Hash: AWJETOBTQPGDJ7KUTTYREF42GCNZ4IPM
X-Message-ID-Hash: AWJETOBTQPGDJ7KUTTYREF42GCNZ4IPM
X-MailFrom: david@alkaline-solutions.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-oauth-resource-metadata@ietf.org" <draft-ietf-oauth-resource-metadata@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-resource-metadata-10: (with DISCUSS and COMMENT)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZM3HNkeR1V-Pob3J82PU679OpVY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
This looks acceptable to me as well -DW > On Oct 2, 2024, at 3:49 PM, Orie Steele <orie@transmute.industries> wrote: > > Hi David, > > I am clearing my discuss based on https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/59 > > For the sake of clarity, let's look at an example: > > http://www.example.com/d%C3%BCsseldorf?neighbourhood=L%C3%B6rick > > This would become: > > http://www.example.com/.well-known/oauth-protected-metadata/d%C3%BCsseldorf?neighbourhood=L%C3%B6rick > > And would resolve to: > > HTTP/1.1 200 OK > Content-Type: application/json > > { > "resource": > "http://www.example.com/d%C3%BCsseldorf?neighbourhood=L%C3%B6rick", > "authorization_servers": > ["https://as1.example.com <https://as1.example.com/>", > "https://as2.example.net <https://as2.example.net/>"], > "bearer_methods_supported": > ["header", "body"], > "scopes_supported": > ["profile", "email", "phone"], > "resource_documentation": > "https://resource.example.com/resource_documentation.html" > } > > See also: > > - https://datatracker.ietf.org/doc/html/rfc7320#section-2.4 > - https://datatracker.ietf.org/doc/html/rfc8820#name-uri-queries > > You might constrain the query for .well-known/oauth-protected-metadata (for example, you could forbid common oauth query params) ... but you cannot constrain the query for the original protected resource URLs, without limiting the applicability of your proposed standard... it's possible I am incorrectly interpreting RFC7320 and RFC8820, but the spirit of what I am trying to say is: > > Do not tell applications that their resource identifiers that use query parameters are not resource identifiers. > > It's fine to warn them of the consequences of their design decisions on deploying oauth-protected-metadata, which you are already doing with the "SHOULD NOT" in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-11#section-1.2-3.2. > > Regards, > > OS > > > > > On Wed, Oct 2, 2024 at 1:27 PM David Waite <david@alkaline-solutions.com <mailto:david@alkaline-solutions.com>> wrote: >> >> >>> On Oct 2, 2024, at 11:38 AM, Orie Steele <orie@transmute.industries> wrote: >>> >>> Hi Mike, >>> >>> Your PR looks good to me. >>> >>> My objection is limited to defining http based resource identifiers as "URIs" that do not contain query, because this contradicts the common interpretation of http resource identifiers which includes: >>> >>> The query component contains non-hierarchical data that, along with >>> data in the path component (Section 3.3), serves to identify a >>> resource within the scope of the URI's scheme and naming authority >>> (if any). >>> >>> https://datatracker.ietf.org/doc/html/rfc3986#section-3.4 >>> >>> I don't believe you need to describe in any detail how query parameters interact with well known URIs. >> >> The challenge of course is that there is no canonical representation of a query component, nor is the query component itself required to be in a particular format like query parameters. The various HTTP implementations _may_ restrict themselves to only support query parameters, and may further do so in a way that does not preserve the original escaping or ordering. >> >> The resource identifier is meant to be understood by the client, which often is not first party to the AS. This means that unlike Resource Parameters in RFC 8707, allowing query parameters but not answering the question on how such would be handled will have a stronger negative impact on interoperability. >> >> Conveying queries in a metadata request also adds the risk that it will share OAuth request information more broadly, e.g. if the well-known logic and the protected resource logic are separated responsibilities. >> >> I would propose that a resource identifier is the URI with query and fragment components _removed_, e.g. that all accepted query components amount to a collection with the same metadata. This clarifies that the spec does not attempt to restrict to only resource servers which do not use query components. >> >> Otherwise, the protected resource metadata request needs to be modified to include a query component, every possible query will be sent to this endpoint, and we probably should note the potential of sharing request information. >> >> -DW >> > > > -- > > ORIE STEELE > Chief Technology Officer > www.transmute.industries <http://www.transmute.industries/> > <https://transmute.industries/>
- [OAUTH-WG] Orie Steele's Discuss on draft-ietf-oa… Orie Steele via Datatracker
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… Michael Jones
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… Michael Jones
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… Orie Steele
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… David Waite
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… Orie Steele
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… David Waite